patheard commented 5 months ago

Summary

Remove resources that are no longer needed now that we have upgraded to v2.3 of the CBS agent.

All log files are sent via S3 bucket replication rules so the custom IAM Role, KMS key policy and CloudWatch alarms are not used anymore.

```terraform Resource actions are indicated with the following symbols: ~ update in-place - destroy Terraform will perform the following actions: # aws_iam_policy.log_archive_read will be destroyed # (because aws_iam_policy.log_archive_read is not in configuration) - resource "aws_iam_policy" "log_archive_read" { - arn = "arn:aws:iam::871282759583:policy/CbsASEAReaderRole" -> null - attachment_count = 1 -> null - id = "arn:aws:iam::871282759583:policy/CbsASEAReaderRole" -> null - name = "CbsASEAReaderRole" -> null - path = "/" -> null - policy = jsonencode( { - Statement = [ - { - Action = [ - "s3:ListBucket", - "s3:GetObject", ] - Effect = "Allow" - Resource = [ - "arn:aws:s3:::cbs-log-archive-871282759583/*", - "arn:aws:s3:::cbs-log-archive-871282759583", ] - Sid = "" }, - { - Action = "kms:Decrypt" - Effect = "Allow" - Resource = "arn:aws:kms:ca-central-1:871282759583:key/c4591f87-9445-4840-acb6-a5569e703c93" - Sid = "" }, ] - Version = "2012-10-17" } ) -> null - policy_id = "ANPA4VXD726PUXKJCTVB3" -> null - tags = {} -> null - tags_all = {} -> null } # aws_iam_role.log_archive_read will be destroyed # (because aws_iam_role.log_archive_read is not in configuration) - resource "aws_iam_role" "log_archive_read" { - arn = "arn:aws:iam::871282759583:role/CbsASEAReaderRole" -> null - assume_role_policy = (sensitive) -> null - create_date = "2022-02-03T20:14:23Z" -> null - description = "" -> null - force_detach_policies = false -> null - id = "CbsASEAReaderRole" -> null - managed_policy_arns = [ - "arn:aws:iam::871282759583:policy/CbsASEAReaderRole", ] -> null - max_session_duration = 3600 -> null - name = "CbsASEAReaderRole" -> null - name_prefix = "" -> null - path = "/" -> null - permissions_boundary = "" -> null - tags = {} -> null - tags_all = {} -> null - unique_id = "AROA4VXD726P72MVE65HX" -> null - inline_policy {} } # aws_iam_role_policy_attachment.log_archive_read will be destroyed # (because aws_iam_role_policy_attachment.log_archive_read is not in configuration) - resource "aws_iam_role_policy_attachment" "log_archive_read" { - id = "CbsASEAReaderRole-20220203201424538400000001" -> null - policy_arn = "arn:aws:iam::871282759583:policy/CbsASEAReaderRole" -> null - role = "CbsASEAReaderRole" -> null } # aws_kms_key.log_archive_encrypt will be updated in-place ~ resource "aws_kms_key" "log_archive_encrypt" { id = "c4591f87-9445-4840-acb6-a5569e703c93" ~ policy = (sensitive) tags = {} # (13 unchanged attributes hidden) } Plan: 0 to add, 1 to change, 3 to destroy. Warning: Argument is deprecated with module.log_archive_access_bucket.aws_s3_bucket.this, on .terraform/modules/log_archive_access_bucket/S3_log_bucket/main.tf line 8, in resource "aws_s3_bucket" "this": 8: resource "aws_s3_bucket" "this" { Use the aws_s3_bucket_server_side_encryption_configuration resource instead (and 7 more similar warnings elsewhere) ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```

Show Conftest results

```sh WARN - plan.json - main - Missing Common Tags: ["aws_kms_key.log_archive_encrypt"] WARN - plan.json - main - Missing Common Tags: ["aws_sns_topic.log_archive"] 21 tests, 19 passed, 2 warnings, 0 failures, 0 exceptions ```

github-actions[bot] commented 5 months ago

Central Alarms

✅ Terraform Init: success ✅ Terraform Validate: success ✅ Terraform Format: success ✅ Terraform Plan: success ✅ Conftest: success

⚠️ Warning: resources will be destroyed by this change!

Plan: 0 to add, 0 to change, 6 to destroy

Show summary

| CHANGE | NAME | |--------|-----------------------------------------------------------| | delete | `aws_cloudwatch_log_metric_filter.transport_lambda_error` | | | `aws_cloudwatch_metric_alarm.no_transport_lambda_logs` | | | `aws_cloudwatch_metric_alarm.transport_lambda_error` | | | `aws_kms_key.sns_cloudwatch` | | | `aws_sns_topic.cloudwatch_alarm` | | | `aws_sns_topic_subscription.cloudwatch_alarm` |

Show plan

```terraform Resource actions are indicated with the following symbols: - destroy Terraform will perform the following actions: # aws_cloudwatch_log_metric_filter.transport_lambda_error will be destroyed # (because aws_cloudwatch_log_metric_filter.transport_lambda_error is not in configuration) - resource "aws_cloudwatch_log_metric_filter" "transport_lambda_error" { - id = "TransportLambdaErrorLogged" -> null - log_group_name = "/aws/lambda/CbsTransportLambda" -> null - name = "TransportLambdaErrorLogged" -> null - pattern = "ERROR" -> null - metric_transformation { - dimensions = {} -> null - name = "TransportLambdaErrorLogged" -> null - namespace = "CloudBasedSensor" -> null - unit = "None" -> null - value = "1" -> null } } # aws_cloudwatch_metric_alarm.no_transport_lambda_logs will be destroyed # (because aws_cloudwatch_metric_alarm.no_transport_lambda_logs is not in configuration) - resource "aws_cloudwatch_metric_alarm" "no_transport_lambda_logs" { - actions_enabled = true -> null - alarm_actions = [ - "arn:aws:sns:ca-central-1:871282759583:cbs-cloudwatch-alarm", ] -> null - alarm_description = "CBS Transport lambda is sending logs to CCCS over a 30 minute period" -> null - alarm_name = "NoTransportLambdaNoLogs" -> null - arn = "arn:aws:cloudwatch:ca-central-1:871282759583:alarm:NoTransportLambdaNoLogs" -> null - comparison_operator = "LessThanThreshold" -> null - datapoints_to_alarm = 0 -> null - dimensions = { - "LogGroupName" = "/aws/lambda/CbsTransportLambda" } -> null - evaluation_periods = 6 -> null - id = "NoTransportLambdaNoLogs" -> null - insufficient_data_actions = [] -> null - metric_name = "IncomingLogEvents" -> null - namespace = "AWS/Logs" -> null - ok_actions = [ - "arn:aws:sns:ca-central-1:871282759583:cbs-cloudwatch-alarm", ] -> null - period = 300 -> null - statistic = "Sum" -> null - tags = {} -> null - tags_all = {} -> null - threshold = 100 -> null - treat_missing_data = "notBreaching" -> null } # aws_cloudwatch_metric_alarm.transport_lambda_error will be destroyed # (because aws_cloudwatch_metric_alarm.transport_lambda_error is not in configuration) - resource "aws_cloudwatch_metric_alarm" "transport_lambda_error" { - actions_enabled = true -> null - alarm_actions = [ - "arn:aws:sns:ca-central-1:871282759583:cbs-cloudwatch-alarm", ] -> null - alarm_description = "Errors logged by the CBS transport lambda" -> null - alarm_name = "TransportLambdaErrorLogged" -> null - arn = "arn:aws:cloudwatch:ca-central-1:871282759583:alarm:TransportLambdaErrorLogged" -> null - comparison_operator = "GreaterThanOrEqualToThreshold" -> null - datapoints_to_alarm = 0 -> null - dimensions = {} -> null - evaluation_periods = 1 -> null - id = "TransportLambdaErrorLogged" -> null - insufficient_data_actions = [] -> null - metric_name = "TransportLambdaErrorLogged" -> null - namespace = "CloudBasedSensor" -> null - ok_actions = [ - "arn:aws:sns:ca-central-1:871282759583:cbs-cloudwatch-alarm", ] -> null - period = 60 -> null - statistic = "Sum" -> null - tags = {} -> null - tags_all = {} -> null - threshold = 1 -> null - treat_missing_data = "notBreaching" -> null } # aws_kms_key.sns_cloudwatch will be destroyed # (because aws_kms_key.sns_cloudwatch is not in configuration) - resource "aws_kms_key" "sns_cloudwatch" { - arn = "arn:aws:kms:ca-central-1:871282759583:key/54afea5c-f3a9-43ba-aca1-904ba0dc2ef2" -> null - bypass_policy_lockout_safety_check = false -> null - customer_master_key_spec = "SYMMETRIC_DEFAULT" -> null - description = "KMS key for CloudWatch SNS topic" -> null - enable_key_rotation = false -> null - id = "54afea5c-f3a9-43ba-aca1-904ba0dc2ef2" -> null - is_enabled = true -> null - key_id = "54afea5c-f3a9-43ba-aca1-904ba0dc2ef2" -> null - key_usage = "ENCRYPT_DECRYPT" -> null - multi_region = false -> null - policy = jsonencode( { - Statement = [ - { - Action = "kms:*" - Effect = "Allow" - Principal = { - AWS = "arn:aws:iam::871282759583:root" } - Resource = "*" - Sid = "" }, - { - Action = [ - "kms:GenerateDataKey*", - "kms:Decrypt", ] - Effect = "Allow" - Principal = { - Service = "cloudwatch.amazonaws.com" } - Resource = "*" - Sid = "" }, ] - Version = "2012-10-17" } ) -> null - rotation_period_in_days = 0 -> null - tags = { - "CostCentre" = "cbs-871282759583" - "Product" = "cloud-based-sensor" - "Terraform" = "true" } -> null - tags_all = { - "CostCentre" = "cbs-871282759583" - "Product" = "cloud-based-sensor" - "Terraform" = "true" } -> null } # aws_sns_topic.cloudwatch_alarm will be destroyed # (because aws_sns_topic.cloudwatch_alarm is not in configuration) - resource "aws_sns_topic" "cloudwatch_alarm" { - application_success_feedback_sample_rate = 0 -> null - arn = "arn:aws:sns:ca-central-1:871282759583:cbs-cloudwatch-alarm" -> null - content_based_deduplication = false -> null - fifo_topic = false -> null - firehose_success_feedback_sample_rate = 0 -> null - http_success_feedback_sample_rate = 0 -> null - id = "arn:aws:sns:ca-central-1:871282759583:cbs-cloudwatch-alarm" -> null - kms_master_key_id = "54afea5c-f3a9-43ba-aca1-904ba0dc2ef2" -> null - lambda_success_feedback_sample_rate = 0 -> null - name = "cbs-cloudwatch-alarm" -> null - owner = "871282759583" -> null - policy = jsonencode( { - Id = "__default_policy_ID" - Statement = [ - { - Action = [ - "SNS:GetTopicAttributes", - "SNS:SetTopicAttributes", - "SNS:AddPermission", - "SNS:RemovePermission", - "SNS:DeleteTopic", - "SNS:Subscribe", - "SNS:ListSubscriptionsByTopic", - "SNS:Publish", ] - Condition = { - StringEquals = { - AWS:SourceOwner = "871282759583" } } - Effect = "Allow" - Principal = { - AWS = "*" } - Resource = "arn:aws:sns:ca-central-1:871282759583:cbs-cloudwatch-alarm" - Sid = "__default_statement_ID" }, ] - Version = "2008-10-17" } ) -> null - signature_version = 0 -> null - sqs_success_feedback_sample_rate = 0 -> null - tags = { - "CostCentre" = "cbs-871282759583" - "Terraform" = "true" } -> null - tags_all = { - "CostCentre" = "cbs-871282759583" - "Terraform" = "true" } -> null } # aws_sns_topic_subscription.cloudwatch_alarm will be destroyed # (because aws_sns_topic_subscription.cloudwatch_alarm is not in configuration) - resource "aws_sns_topic_subscription" "cloudwatch_alarm" { - arn = "arn:aws:sns:ca-central-1:871282759583:cbs-cloudwatch-alarm:f93d4648-360c-45d5-a471-81cbdbbcdd78" -> null - confirmation_timeout_in_minutes = 1 -> null - confirmation_was_authenticated = false -> null - delivery_policy = "" -> null - endpoint = (sensitive) -> null - endpoint_auto_confirms = false -> null - filter_policy = "" -> null - filter_policy_scope = "" -> null - id = "arn:aws:sns:ca-central-1:871282759583:cbs-cloudwatch-alarm:f93d4648-360c-45d5-a471-81cbdbbcdd78" -> null - owner_id = "871282759583" -> null - pending_confirmation = false -> null - protocol = "https" -> null - raw_message_delivery = false -> null - redrive_policy = "" -> null - replay_policy = "" -> null - subscription_role_arn = "" -> null - topic_arn = "arn:aws:sns:ca-central-1:871282759583:cbs-cloudwatch-alarm" -> null } Plan: 0 to add, 0 to change, 6 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: plan.tfplan To perform exactly these actions, run the following command to apply: terraform apply "plan.tfplan" Releasing state lock. This may take a few moments... ```

Show Conftest results

```sh 20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions ```

patheard commented 5 months ago

Closing as the task is being handed off to Internal SRE.

cds-snc / cloud-based-sensor

feat: upgrade to CBS agent v2.3 #339

Summary

Related

Central account

Central Alarms